Based in the UK and working globally, Cloud of Data's consultancy services help clients understand the implications of taking data and more to the Cloud.
If you'd like to discuss how we can help your organisation, get in touch.

A prism bends light. #PRISM reporting bends truth

I wasn’t going to talk about the current fuss around PRISM, but the speed with which conjecture, rumour and some (good) newspaper investigative work has turned into ‘fact’ and ‘truth’ online makes this worth addressing.

The conjecture may be correct. The NSA, the FBI, TLA and ETLAmight be plugged right into the data centres of the internet’s giants, slurping down your messages, searches and calls. If they are, that’s potentially serious. But we don’t actually know that they are, yet. Until then, reporters, bloggers, analysts and pundits are speculating and considering implications. That’s a good and useful thing to do. But they really need to stop suggesting that they’re reporting facts.

Whether PRISM turns out to be as wide-ranging as suggested or not, a lot of confusion is being caused by misinformed, malicious or badly phrased speculation. There is rarely smoke without fire, but real damage is being done here. As David Meyer notes in a piece for GigaOM this morning,

“All of this is likely to prove very problematic indeed for U.S. cloud firms trying to push further into the European market.

Imagine you’re a European government wanting to move your IT systems into the cloud. For some, nationalism and protectionism already come into play at this point – witness the French (of course) and the twonational clouds that they have under development.

Now imagine you’re a U.S. firm trying to drum up business in that context. You can say you have an EU data center and you’re even willing to set up a mini-cloud in the country, just to put everyone’s mind at rest. You can say it and you can mean it, but can you really be surprised when you get laughed at because everyone now sees U.S. internet companies as being in league with the NSA? Even if you’re Amazon, which isn’t part of PRISM, you have a problem.” (my emphasis)

Most countries around the world have a legal means to access data stored on servers operating on their soil. The degree of judicial oversight – or evidence – required varies widely from one country to the next, but it is widely accepted that law enforcement agencies should be able to gain access to data under certain circumstances. It was also widely believed that this doesn’t actually happen terribly often.

Alleged information on PRISM obtained by The Guardian would suggest that this programme is able to go much further;

“Companies are legally obliged to comply with requests for users’ communications under US law, but the PRISM program allows the intelligence services direct access to the companies’ servers.”

“The PRISM program allows the NSA, the world’s largest surveillance organisation, to obtain targeted communications without having to request them from the service providers and without having to obtain individual court orders.

With this program, the NSA is able to reach directly into the servers of the participating companies and obtain both stored communications as well as perform real-time collection on targeted users.”

“The National Security Agency and the FBI are tapping directly into the central servers of nine leading U.S. Internet companies, extracting audio and video chats, photographs, e-mails, documents, and connection logs that enable analysts to track foreign targets, according to a top-secret document obtained by The Washington Post.” (my emphasis)

“The New York Times has not confirmed the authenticity of the documents, and several of the Internet companies issued statements strongly denying knowledge of or participation in the program.” (my emphasis)

Elsewhere, headlines, ‘news’ and editorials leap gleefully into the melee, proclaiming that government agencies are ‘lying,’ warning that data is being read by the NSA and FBI, accusing tech firms of collusion, and worse.

I don’t know the extent to which the powers attributed to PRISM are real. I also don’t know how often — if ever — they’ve actually been used. Nor do most of the others commenting so knowledgeably on this story. Just bear that in mind, as you read what they write.

Having a direct tap versus receiving feeds at regular intervals under the provisions of the law are technically different. All the denials released semantically reject the former but allow the possibility of the latter.

http://cloudofdata.com Paul Miller

Absolutely. I noted the “carefully worded” nature of these corporate denials. Just one of the things we need to learn so much more about…